A critical security vulnerability in the iTunes application for Windows 10 and Windows 11 users could have enabled malicious attackers to arbitrarily execute code remotely, Apple has confirmed in a support document published 8 May.
What Is CVE-2024-27793?
Willy R. Vasquez, a Ph.D student and security researcher with The University of Texas at Austin, whose sandboxing code contributions can be found in the Firefox 117 web browser, was behind the discovery of CVE-2024-27793. The vulnerability, rated critical using the Common Vulnerability Scoring System v3, impacts the CoreMedia framework which defines the media pipeline used ultimately to “process media samples and manage queues of media data,” according to Apple.
Apple does not “disclose, discuss, or confirm security issues” until such a time as an investigation has taken place and a fix is available. The good news is that such a fix is now available, but details of the vulnerability remain few and far between. I have approached both Apple and Vasquez for more information and will update this article as soon as I learn anything more.
Which Users Are Impacted By The Apple iTunes Vulnerability?
What is known is that it applies to versions of the iTunes for Windows app prior to 12.13.2 that was released on 8 May to coincide with the security posting. Specifically, iTunes users of the app running on Windows 10 and 11 platforms should take note. According to the security document published by Apple Support, the impact of the vulnerability is that “parsing a file may lead to an unexpected app termination or arbitrary code execution.”
In other words, an attacker could trigger a maliciously crafted request while parsing a file that could enable them to execute arbitrary code. The attacker, it should be said, doesn’t have to be someone with local access to the Windows machine in question. That the vulnerability could lead to such remote code execution is the primary reason for the CVSS v3 critical rating of 9.1 out of 10. It is also known that the vulnerability was born out of improper checks in that CoreMedia framework component because Apple says it was “addressed with improved checks.”
According to the Vulnerability Database resource, CVE-2024-27793 can be exploited easily, remotely and without any form of authentication. Successful exploitation does, however, require user interaction. One assumes this would be by clicking on a link or visiting a site where the malicious file can be parsed by CoreMedia.